21 CFR Part 11 Requirements
advertisement
and 21 CFR Part 11 Introduction. The AiTalent LCS has been built to ensure that clients can validate the system against 21 CFR part 11. The aim of this document is to demonstarate AiTalent’s commitment to providing a system which is compliant and can be validated against the requirements of 21 CFR part 11 Electronic Records; Electronic Signatures Background 21 CFR part 11 was brought into effect in 1997 by the United States Food & Drug Administration, (hereafter referred to as the Agency.) 21 CFR Part 11 Requirements 21 CFR Part 11.10 CONTROLS FOR CLOSED SYSTEMS 21 CFR Part 11 Requirement (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. LCS functionality The LCS is validated against an operational Qualification after every build. This Operational qualification is updated with every test script that is created during the testing of the LCS. (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. The LCS allows the export and printing of complete copies of records that are held within the LCS, in both electronic and human readable form suitable for inspection, review, and copying by the agency. (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. All LCS data is securely stored within a Microsoft SQL server and all AiTalent hosted systems are subject to “security access”, routine “back up & restore” and “disaster recovery” procedures. It is the responsibility of Clients hosting their own LCS to establish “security access”, routine “back up & restore” and “disaster recovery” procedures to meet the requirements of this part. (d) Limiting system access to authorized individuals. Access to the LCS is secured via a username password system It is the responsibility of the Client to establish a procedures to ensure that individuals authorized to access the LCS are made aware not to share their electronic signatures with other individuals. It is the responsibility of the Client to establish procedures to ensure that individuals (e.g. ex-employees) that the Client withdraws authorization to access to the LCS cannot continue to access the LCS. (e.g. disabling the user account) 21 CFR Part 11.10 CONTROLS FOR CLOSED SYSTEMS 21 CFR Part 11 Requirement (e) Use of secure, computergenerated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. LCS functionality All electronic signatures created by the LCS are time stamped by the system in the audit trial to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. The LCS allows the configuration of mandatory electronic signatures within the workflow as operational system checks to enforce permitted sequencing of steps and events, as appropriate. (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. All users of the LCS must successfully log into the system using their Electronic signature to access the system. (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Users are required to log into the LCS using their electronic signature via a terminal to initially access the LCS system, (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. Record changes do not obscure previously recorded information. These time stamped audit entries cannot be changed or deleted and are available to the agency for review and copying. It is the responsibility of the Client to establish a procedure to define the retention period of electronic records subject to the requirements of the relevant predicate rule. Access to functionality is controlled by permission sets which can be used to limit access to certain authorized individuals. Thereafter whenever a user is required to enter their electronic signature to determine, as appropriate the validity of the source of data input or operational instruction, the user is required to re-enter their full electronic signature (username and password). All AiTalent development and quality assurance staff are trained It is the responsibility of the Client to establish procedures/job profiles to ensure that persons within the client organization that develop, maintain or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. 21 CFR Part 11.10 CONTROLS FOR CLOSED SYSTEMS 21 CFR Part 11 Requirement (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. LCS functionality (j)It is the responsibility of the Client to establish, provide training for and ensure adherence to written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. (1) All of AiTalent’s development is performed in accordance with the internal company procedures and is subject to change control. (2) AiTalent has established appropriate revision and change control procedures to maintain an audit trail that documents the time-sequenced development and modification of systems documentation. 21 CFR Part 11.10 CONTROLS FOR CLOSED SYSTEMS 21 CFR Part 11 Requirement Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. LCS functionality It is the responsibility of the Client where the LCS is deployed as an open system to create, modify, maintain, or transmit electronic records to establish procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. 21 CFR Part 11.50 Signature Manifestations. 21 CFR Part 11 Requirement (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: LCS functionality (a)Signed electronic records contain the following information associated with the signing that clearly indicates all of the following, (1) The username of the signer, (2) The date and time the signature was executed, (3) The meaning associated with the signature. (1) The printed name of the signer (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). The username, date and time and meaning of electronic signatures as identified within paragraphs (a)(1), (a)(2) and (a)(3) of section 11.50 Signature Manifestations are included in the audit trial of all records showing electronic signatures. They are subject to the same controls as for electronic records (Once entered these values cannot be altered in any way.) and can be published in human readable form such as electronic display or printout. 21 CFR Part 11.70 Signature/record linking 21 CFR part 11 Requirement Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. LCS functionality Electronic Signatures in the LCS are recorded against specific training elements. These electronic signatures are time stamped and captured in the LCS audit trial. None of this information can be deleted or altered. This mechanism prevents the excising, coping, or otherwise transferring to falsify an electronic record by ordinary means. 21 CFR Part 11.100 General Requirements. 21 CFR Part 11 Requirement (a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. (c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 12420 Parklawn Drive, RM 3007 Rockville, MD 20857. (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer`s handwritten signature. LCS functionality Within the LCS each electronic signature is recorded against a single User ID for a single instance of a training element. It is the responsibility of the Client to establish a procedure to ensure that an existing electronic signature assigned to an individual is not reused, or reassigned to anyone else. All electronic signatures must be entered with a username and password. This ensures that the identity of the signature is confirmed at time of entry. It is the responsibility of the Client to establish a procedure to verify the identity of any individual before assigning an electronic signature to the individual in question. (c)It is the responsibility of the Client to certify to the agency (FDA) that the electronic signatures in their system are intended to be the legally binding equivalent of traditional handwritten signatures. (1)It is the responsibility of the Client to submit the certification in paper for, and signed with a traditional handwritten signature to the Office of Regional Operations (HFC-100), 12420 Parklawn Drive, RM 3007 Rockville, MD 20857. (2)It is the responsibility of the Client to, upon request by the agency, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent to the signer’s handwritten signature. 21 CFR Part 11.200 Electronic signature components and controls. 21 CFR Part 11 Requirement (a) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. LCS functionality The AiTalent LCS does not use biometrics for electronic signatures therefore the requirements of this part are not applicable. 21 CFR Part 11.300 Controls for identification codes/passwords. 21 CFR Part 11 Requirement LCS functionality Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. All usernames within the LCS are unique. The system will not allow the use of the same username for two different accounts therefore no two individuals can have the same combination of identification code and password, (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). As part of the password security all passwords can be given an expiry date to cover such events as password aging. (c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. The LCS does not use external devices to generate password information. (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. As a transaction safeguard to prevent unauthorized use of passwords and/or identification codes, the LCS operates a lockout system whereby after a set number of failed attempts a user account is locked out until there account is reset by an administrator or manager. If a Client hosts the LCS within their own intranet and if the Client uses tokens, cards, and other devices that bear or generate identification code or password information to access their own intranet then it is the responsibility of the Client to establish loss management procedures to electronically de-authorize lost, stolen, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. When a user account has been locked out, the LCS reports to the user immediately that their user account has been locked. Managers can immediately detect within the LCS which of their Users have been locked out 21 CFR Part 11.300 Controls for identification codes/passwords. 21 CFR Part 11 Requirement (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. LCS functionality (e) No devices are used to generate passwords within the LCS. If a Client hosts the LCS within their own intranet and if the Client uses tokens, cards, and other devices that bear or generate identification code or password information to access their own intranet then it is the responsibility of the Client to establish procedures to conduct initial and periodical testing of such devices to ensure that they function properly and have not been altered in an unauthorized manner.
